Pages

Friday, August 3, 2012

Andre' DiMino posted an excellent analysis of Cridex banking malware using Volatility on sempersecurus.blogspot.comand if you wish to repeat his steps or interested in this malware, I am posting the corresponding samples. Cridex is a complex financial trojan and is being distributed via spam messages (carrying exe files in zipped attachments) and Blackhole Exploit kit.
The messages have various themes - from UPS, Fedex, USPS to Groupon deals and "HP-scan" and other lures. Some message screenshots and corresponding malware are posted below.

If you are interested in memory analysis, please see the resource section of this post (links to the tools: Volatility, Mandiant Redline, memory dumps and other memory analysis done by Andre' and other researchers)

Using the Volatility 'plist' command, we can see a list of the running processes. However it's instructive to use this in conjunction with the 'psscan' command in order to see those processes that have terminated, are unlinked, or hidden. In this case, no discrepancies between the two commands jump out at me, but I do notice a couple of things. First, I see a process, reader_sl.exe, PID1640 start exactly at the same time as its parent process, explorer.exe, PID1484. I see that the parent process ID for explorer.exe is 1464, which is not listed in either 'pslist' or 'psscan'. reader_sl.exe is a supposedly a safe process, associated with Adobe Speed Launcher, but the launch chain for this seems odd, so I'll keep note of this for now. Next, I see a secondwuauclt.exe process start about 15 seconds after the first. This isn't a major flag, but just something to note.

pslist command

psscan command

The next useful Volatility command that I use for malware analysis is the 'connections' and the 'connscan'commands. Again, running both of these will allow you to see variances, as 'connscan' will show artifacts from previous connections.

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.